Samba flaw exposes Synology's Linux NAS to WannaCry-like attack

Network attached storage (NAS) device maker Synology is preparing a patch for a an open source bug that is comparable to the flaw that led to the WannaCry Windows ransomware outbreak.

Tens of thousands of NAS devices used for backing up data could be remotely hacked due to a flaw in the Samba file-sharing service for Linux. Users are being advised to install the patch from Samba, which is also being prepared by device manufacturers that use Samba in their products.

Samba enables file-sharing between Windows clients and Unix or Linux servers. While it’s common on Linux servers in the enterprise, it’s also embedded in NAS devices for the consumer market.

Samba is based on the Server Message Block (SMB) file-sharing protocol that was exploited to spread the WannaCry ransomware to Windows machines.

The remote code execution flaw affects Samba from version 3.5, according to an advisory from Samba developers.

Samba 3.5 was released in 2010, however the patch is only available for version 4.4 onwards. A workaround is available for unsupported versions.

That an attacker could use one vulnerable computer to infect others on the same network has drawn comparisons to WannaCry.

As Ars Technicanotes, the flaw is only exploitable if port 445 on an un-patched computer is open to the internet. The machine would also need to permit write privileges from a shared file with a known or guessable server path.

Devices that meet the first condition amount to just under half the 230,000 Windows PCs affected by WannCry ransomware.

According to security firm Rapid7, which runs the internet-wide scanning service Sonar, 104,000 machines running vulnerable versions of Samba are exposed to the internet and 90 percent of these are unsupported, meaning they require the manual workaround.

Samba’s advisory notes that vulnerable installations allow “a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.”

If the conditions are met, it wouldn’t be difficult for an attacker to abuse it. HD Moore, the creator of Sonar and the hacking framework Metasploit, said that exploiting the Samba bug can be done with one line of code.

“If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial,” said Bob Rudis, chief data scientist at Rapid7.

The flaw could pose a threat to a key link in defending against ransomware, namely backing up data on a NAS. The final backup should be isolated from networked machines, however the NAS devices are an important step in this process.

Moore has demonstrated the bug working against Ubuntu 16.04 and a Synology devices.

“Many NAS environments are used as network backup systems,” said Rudis. “A direct attack or worm would render those backups almost useless. We advise that organizations create an offline copy of critical data as soon as possible if patching can not be done immediately.”

Notably, Samba does need to be enabled on PCs in order for them to be exposed to an attack, however it’s likely a lot of Linux users have done that.

“Many home and corporate network storage systems also run Samba, and it's very straightforward to enable the Samba service on any Linux endpoint,” said Rudis.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.